package org.keycloak.services.managers;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.AuthenticationFlowException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.ConsoleDisplayMode;
import org.keycloak.authentication.DisplayTypeRequiredActionFactory;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionContextResult;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.actiontoken.DefaultActionTokenKey;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ActionTokenStoreProvider;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.SystemClientUtil;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.services.util.P3PHelper;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager.class */
public class AuthenticationManager {
    public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS";
    public static final String END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS";
    public static final String INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN";
    public static final String CLIENT_LOGOUT_STATE = "logout.state.";
    public static final String AUTH_TIME = "AUTH_TIME";
    public static final String SSO_AUTH = "SSO_AUTH";
    public static final String FORM_USERNAME = "username";
    public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";
    public static final String KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION";
    public static final String KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME";
    public static final String KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL";
    protected static final Logger logger = Logger.getLogger(AuthenticationManager.class);
    private static final TokenVerifier.TokenTypeCheck VALIDATE_IDENTITY_COOKIE = new TokenVerifier.TokenTypeCheck("Serialized-ID");

    /* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager$AuthResult.class */
    public static class AuthResult {
        private final UserModel user;
        private final UserSessionModel session;
        private final AccessToken token;

        public AuthResult(UserModel userModel, UserSessionModel userSessionModel, AccessToken accessToken) {
            this.user = userModel;
            this.session = userSessionModel;
            this.token = accessToken;
        }

        public UserSessionModel getSession() {
            return this.session;
        }

        public UserModel getUser() {
            return this.user;
        }

        public AccessToken getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager$AuthenticationStatus.class */
    public enum AuthenticationStatus {
        SUCCESS,
        ACCOUNT_TEMPORARILY_DISABLED,
        ACCOUNT_DISABLED,
        ACTIONS_REQUIRED,
        INVALID_USER,
        INVALID_CREDENTIALS,
        MISSING_PASSWORD,
        MISSING_TOTP,
        FAILED
    }

    public static boolean isSessionValid(RealmModel realmModel, UserSessionModel userSessionModel) {
        if (userSessionModel == null) {
            logger.debug("No user session");
            return false;
        }
        int currentTime = Time.currentTime();
        return (((!userSessionModel.isRememberMe() || realmModel.getSsoSessionIdleTimeoutRememberMe() <= 0) ? realmModel.getSsoSessionIdleTimeout() : realmModel.getSsoSessionIdleTimeoutRememberMe()) > (currentTime - userSessionModel.getLastSessionRefresh()) - 120) && (((!userSessionModel.isRememberMe() || realmModel.getSsoSessionMaxLifespanRememberMe() <= 0) ? realmModel.getSsoSessionMaxLifespan() : realmModel.getSsoSessionMaxLifespanRememberMe()) > currentTime - userSessionModel.getStarted());
    }

    public static boolean isOfflineSessionValid(RealmModel realmModel, UserSessionModel userSessionModel) {
        if (userSessionModel == null) {
            logger.debug("No offline user session");
            return false;
        }
        int currentTime = Time.currentTime();
        int offlineSessionIdleTimeout = realmModel.getOfflineSessionIdleTimeout() + 120;
        if (realmModel.isOfflineSessionMaxLifespanEnabled()) {
            return userSessionModel.getLastSessionRefresh() + offlineSessionIdleTimeout > currentTime && userSessionModel.getStarted() + realmModel.getOfflineSessionMaxLifespan() > currentTime;
        }
        return userSessionModel.getLastSessionRefresh() + offlineSessionIdleTimeout > currentTime;
    }

    public static void expireUserSessionCookie(KeycloakSession keycloakSession, UserSessionModel userSessionModel, RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, ClientConnection clientConnection) {
        try {
            Cookie cookie = (Cookie) httpHeaders.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
            if (cookie == null) {
                return;
            }
            TokenVerifier withChecks = TokenVerifier.create(cookie.getValue(), AccessToken.class).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())).checkActive(false).checkTokenType(false).withChecks(new TokenVerifier.Predicate[]{VALIDATE_IDENTITY_COOKIE});
            withChecks.verifierContext(keycloakSession.getProvider(SignatureProvider.class, withChecks.getHeader().getAlgorithm().name()).verifier(withChecks.getHeader().getKeyId()));
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, withChecks.verify().getToken().getSessionState());
            if (userSession == null || !userSession.getId().equals(userSessionModel.getId())) {
                return;
            }
            expireIdentityCookie(realmModel, uriInfo, clientConnection);
        } catch (Exception e) {
        }
    }

    public static void backchannelLogout(KeycloakSession keycloakSession, UserSessionModel userSessionModel, boolean z) {
        backchannelLogout(keycloakSession, keycloakSession.getContext().getRealm(), userSessionModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection(), keycloakSession.getContext().getRequestHeaders(), z);
    }

    public static void backchannelLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders, boolean z) {
        backchannelLogout(keycloakSession, realmModel, userSessionModel, uriInfo, clientConnection, httpHeaders, z, false);
    }

    public static void backchannelLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders, boolean z, boolean z2) {
        if (userSessionModel == null) {
            return;
        }
        UserModel user = userSessionModel.getUser();
        if (userSessionModel.getState() != UserSessionModel.State.LOGGING_OUT) {
            userSessionModel.setState(UserSessionModel.State.LOGGING_OUT);
        }
        logger.debugv("Logging out: {0} ({1}) offline: {2}", user.getUsername(), userSessionModel.getId(), Boolean.valueOf(userSessionModel.isOffline()));
        expireUserSessionCookie(keycloakSession, userSessionModel, realmModel, uriInfo, httpHeaders, clientConnection);
        AuthenticationSessionManager authenticationSessionManager = new AuthenticationSessionManager(keycloakSession);
        AuthenticationSessionModel createOrJoinLogoutSession = createOrJoinLogoutSession(keycloakSession, realmModel, authenticationSessionManager, userSessionModel, false);
        try {
            backchannelLogoutAll(keycloakSession, realmModel, userSessionModel, createOrJoinLogoutSession, uriInfo, httpHeaders, z);
            checkUserSessionOnlyHasLoggedOutClients(realmModel, userSessionModel, createOrJoinLogoutSession);
            authenticationSessionManager.removeAuthenticationSession(realmModel, createOrJoinLogoutSession, false);
            userSessionModel.setState(UserSessionModel.State.LOGGED_OUT);
            if (!z2) {
                keycloakSession.sessions().removeUserSession(realmModel, userSessionModel);
                return;
            }
            new UserSessionManager(keycloakSession).revokeOfflineUserSession(userSessionModel);
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, userSessionModel.getId());
            if (userSession != null) {
                keycloakSession.sessions().removeUserSession(realmModel, userSession);
            }
        } catch (Throwable th) {
            authenticationSessionManager.removeAuthenticationSession(realmModel, createOrJoinLogoutSession, false);
            throw th;
        }
    }

    private static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticationSessionManager authenticationSessionManager, UserSessionModel userSessionModel, boolean z) {
        String id;
        ClientModel systemClient = SystemClientUtil.getSystemClient(realmModel);
        RootAuthenticationSessionModel rootAuthenticationSessionModel = null;
        boolean z2 = false;
        if (z) {
            rootAuthenticationSessionModel = authenticationSessionManager.getCurrentRootAuthenticationSession(realmModel);
        }
        if (rootAuthenticationSessionModel != null) {
            id = rootAuthenticationSessionModel.getId();
            z2 = true;
        } else {
            id = userSessionModel.getId();
            rootAuthenticationSessionModel = keycloakSession.authenticationSessions().getRootAuthenticationSession(realmModel, id);
        }
        if (rootAuthenticationSessionModel == null) {
            rootAuthenticationSessionModel = keycloakSession.authenticationSessions().createRootAuthenticationSession(id, realmModel);
        }
        if (z && !z2) {
            authenticationSessionManager.setAuthSessionCookie(id, realmModel);
        }
        Optional findFirst = rootAuthenticationSessionModel.getAuthenticationSessions().values().stream().filter(authenticationSessionModel -> {
            return systemClient.equals(authenticationSessionModel.getClient()) && Objects.equals(CommonClientSessionModel.Action.LOGGING_OUT.name(), authenticationSessionModel.getAction());
        }).findFirst();
        AuthenticationSessionModel createAuthenticationSession = findFirst.isPresent() ? (AuthenticationSessionModel) findFirst.get() : rootAuthenticationSessionModel.createAuthenticationSession(systemClient);
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.LOGGING_OUT.name());
        return createAuthenticationSession;
    }

    private static void backchannelLogoutAll(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel, UriInfo uriInfo, HttpHeaders httpHeaders, boolean z) {
        String note;
        userSessionModel.getAuthenticatedClientSessions().values().forEach(authenticatedClientSessionModel -> {
            backchannelLogoutClientSession(keycloakSession, realmModel, authenticatedClientSessionModel, authenticationSessionModel, uriInfo, httpHeaders);
        });
        if (!z || (note = userSessionModel.getNote("identity_provider")) == null) {
            return;
        }
        try {
            IdentityBrokerService.getIdentityProvider(keycloakSession, realmModel, note).backchannelLogout(keycloakSession, userSessionModel, uriInfo, realmModel);
        } catch (Exception e) {
            logger.warn("Exception at broker backchannel logout for broker " + note, e);
        }
    }

    private static boolean checkUserSessionOnlyHasLoggedOutClients(RealmModel realmModel, UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        Set set = (Set) userSessionModel.getAuthenticatedClientSessions().entrySet().stream().filter(entry -> {
            return !Objects.equals(CommonClientSessionModel.Action.LOGGED_OUT, getClientLogoutAction(authenticationSessionModel, (String) entry.getKey()));
        }).filter(entry2 -> {
            return !Objects.equals(CommonClientSessionModel.Action.LOGGED_OUT.name(), ((AuthenticatedClientSessionModel) entry2.getValue()).getAction());
        }).filter(entry3 -> {
            return Objects.nonNull(((AuthenticatedClientSessionModel) entry3.getValue()).getProtocol());
        }).map((v0) -> {
            return v0.getValue();
        }).collect(Collectors.toSet());
        boolean isEmpty = set.isEmpty();
        if (!isEmpty) {
            logger.warnf("Some clients have been not been logged out for user %s in %s realm: %s", userSessionModel.getUser().getUsername(), realmModel.getName(), set.stream().map((v0) -> {
                return v0.getClient();
            }).map((v0) -> {
                return v0.getClientId();
            }).sorted().collect(Collectors.joining(", ")));
        } else if (logger.isDebugEnabled()) {
            logger.debugf("All clients have been logged out for user %s in %s realm, session %s", userSessionModel.getUser().getUsername(), realmModel.getName(), userSessionModel.getId());
        }
        return isEmpty;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean backchannelLogoutClientSession(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticatedClientSessionModel authenticatedClientSessionModel, AuthenticationSessionModel authenticationSessionModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        UserSessionModel userSession = authenticatedClientSessionModel.getUserSession();
        ClientModel client = authenticatedClientSessionModel.getClient();
        if (client.isFrontchannelLogout() || CommonClientSessionModel.Action.LOGGED_OUT.name().equals(authenticatedClientSessionModel.getAction())) {
            return false;
        }
        CommonClientSessionModel.Action clientLogoutAction = getClientLogoutAction(authenticationSessionModel, client.getId());
        if (clientLogoutAction == CommonClientSessionModel.Action.LOGGED_OUT || clientLogoutAction == CommonClientSessionModel.Action.LOGGING_OUT) {
            return true;
        }
        try {
            setClientLogoutAction(authenticationSessionModel, client.getId(), CommonClientSessionModel.Action.LOGGING_OUT);
            String protocol = authenticatedClientSessionModel.getProtocol();
            if (protocol == null) {
                return true;
            }
            logger.debugv("backchannel logout to: {0}", client.getClientId());
            LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, protocol);
            provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo);
            provider.backchannelLogout(userSession, authenticatedClientSessionModel);
            setClientLogoutAction(authenticationSessionModel, client.getId(), CommonClientSessionModel.Action.LOGGED_OUT);
            return true;
        } catch (Exception e) {
            ServicesLogger.LOGGER.failedToLogoutClient(e);
            return false;
        }
    }

    private static Response frontchannelLogoutClientSession(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticatedClientSessionModel authenticatedClientSessionModel, AuthenticationSessionModel authenticationSessionModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        CommonClientSessionModel.Action clientLogoutAction;
        UserSessionModel userSession = authenticatedClientSessionModel.getUserSession();
        ClientModel client = authenticatedClientSessionModel.getClient();
        if (!client.isFrontchannelLogout() || CommonClientSessionModel.Action.LOGGED_OUT.name().equals(authenticatedClientSessionModel.getAction()) || (clientLogoutAction = getClientLogoutAction(authenticationSessionModel, client.getId())) == CommonClientSessionModel.Action.LOGGED_OUT || clientLogoutAction == CommonClientSessionModel.Action.LOGGING_OUT) {
            return null;
        }
        try {
            setClientLogoutAction(authenticationSessionModel, client.getId(), CommonClientSessionModel.Action.LOGGING_OUT);
            String protocol = authenticatedClientSessionModel.getProtocol();
            if (protocol == null) {
                return null;
            }
            logger.debugv("frontchannel logout to: {0}", client.getClientId());
            LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, protocol);
            provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo);
            Response frontchannelLogout = provider.frontchannelLogout(userSession, authenticatedClientSessionModel);
            if (frontchannelLogout == null) {
                return null;
            }
            logger.debug("returning frontchannel logout request to client");
            setClientLogoutAction(authenticationSessionModel, client.getId(), CommonClientSessionModel.Action.LOGGED_OUT);
            return frontchannelLogout;
        } catch (Exception e) {
            ServicesLogger.LOGGER.failedToLogoutClient(e);
            return null;
        }
    }

    public static void setClientLogoutAction(AuthenticationSessionModel authenticationSessionModel, String str, CommonClientSessionModel.Action action) {
        if (authenticationSessionModel == null || str == null) {
            return;
        }
        authenticationSessionModel.setAuthNote(CLIENT_LOGOUT_STATE + str, action.name());
    }

    public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel authenticationSessionModel, String str) {
        String authNote;
        if (authenticationSessionModel == null || str == null || (authNote = authenticationSessionModel.getAuthNote(CLIENT_LOGOUT_STATE + str)) == null) {
            return null;
        }
        return CommonClientSessionModel.Action.valueOf(authNote);
    }

    public static void backchannelLogoutUserFromClient(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, ClientModel clientModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        Iterator it = keycloakSession.sessions().getUserSessions(realmModel, userModel).iterator();
        while (it.hasNext()) {
            AuthenticatedClientSessionModel authenticatedClientSessionByClient = ((UserSessionModel) it.next()).getAuthenticatedClientSessionByClient(clientModel.getId());
            if (authenticatedClientSessionByClient != null) {
                backchannelLogoutClientSession(keycloakSession, realmModel, authenticatedClientSessionByClient, null, uriInfo, httpHeaders);
                authenticatedClientSessionByClient.setAction(CommonClientSessionModel.Action.LOGGED_OUT.name());
                TokenManager.dettachClientSession(keycloakSession.sessions(), realmModel, authenticatedClientSessionByClient);
            }
        }
    }

    public static Response browserLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders, String str) {
        Response keycloakInitiatedBrowserLogout;
        if (userSessionModel == null) {
            return null;
        }
        if (logger.isDebugEnabled()) {
            logger.debugv("Logging out: {0} ({1})", userSessionModel.getUser().getUsername(), userSessionModel.getId());
        }
        if (userSessionModel.getState() != UserSessionModel.State.LOGGING_OUT) {
            userSessionModel.setState(UserSessionModel.State.LOGGING_OUT);
        }
        Response browserLogoutAllClients = browserLogoutAllClients(userSessionModel, keycloakSession, realmModel, httpHeaders, uriInfo, createOrJoinLogoutSession(keycloakSession, realmModel, new AuthenticationSessionManager(keycloakSession), userSessionModel, true));
        if (browserLogoutAllClients != null) {
            return browserLogoutAllClients;
        }
        String note = userSessionModel.getNote("identity_provider");
        return (note == null || note.equals(str) || (keycloakInitiatedBrowserLogout = IdentityBrokerService.getIdentityProvider(keycloakSession, realmModel, note).keycloakInitiatedBrowserLogout(keycloakSession, userSessionModel, uriInfo, realmModel)) == null) ? finishBrowserLogout(keycloakSession, realmModel, userSessionModel, uriInfo, clientConnection, httpHeaders) : keycloakInitiatedBrowserLogout;
    }

    private static Response browserLogoutAllClients(UserSessionModel userSessionModel, KeycloakSession keycloakSession, RealmModel realmModel, HttpHeaders httpHeaders, UriInfo uriInfo, AuthenticationSessionModel authenticationSessionModel) {
        Map map = (Map) userSessionModel.getAuthenticatedClientSessions().values().stream().filter(authenticatedClientSessionModel -> {
            return !Objects.equals(CommonClientSessionModel.Action.LOGGED_OUT.name(), authenticatedClientSessionModel.getAction());
        }).filter(authenticatedClientSessionModel2 -> {
            return authenticatedClientSessionModel2.getProtocol() != null;
        }).collect(Collectors.partitioningBy(authenticatedClientSessionModel3 -> {
            return authenticatedClientSessionModel3.getClient().isFrontchannelLogout();
        }));
        (map.get(false) == null ? Collections.emptyList() : (List) map.get(false)).forEach(authenticatedClientSessionModel4 -> {
            backchannelLogoutClientSession(keycloakSession, realmModel, authenticatedClientSessionModel4, authenticationSessionModel, uriInfo, httpHeaders);
        });
        Iterator it = (map.get(true) == null ? Collections.emptyList() : (List) map.get(true)).iterator();
        while (it.hasNext()) {
            Response frontchannelLogoutClientSession = frontchannelLogoutClientSession(keycloakSession, realmModel, (AuthenticatedClientSessionModel) it.next(), authenticationSessionModel, uriInfo, httpHeaders);
            if (frontchannelLogoutClientSession != null) {
                return frontchannelLogoutClientSession;
            }
        }
        return null;
    }

    public static Response finishBrowserLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders) {
        AuthenticationSessionModel createOrJoinLogoutSession = createOrJoinLogoutSession(keycloakSession, realmModel, new AuthenticationSessionManager(keycloakSession), userSessionModel, true);
        checkUserSessionOnlyHasLoggedOutClients(realmModel, userSessionModel, createOrJoinLogoutSession);
        expireIdentityCookie(realmModel, uriInfo, clientConnection);
        expireRememberMeCookie(realmModel, uriInfo, clientConnection);
        userSessionModel.setState(UserSessionModel.State.LOGGED_OUT);
        String note = userSessionModel.getNote(KEYCLOAK_LOGOUT_PROTOCOL);
        EventBuilder eventBuilder = new EventBuilder(realmModel, keycloakSession, clientConnection);
        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, note);
        provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo).setEventBuilder(eventBuilder);
        Response finishLogout = provider.finishLogout(userSessionModel);
        keycloakSession.sessions().removeUserSession(realmModel, userSessionModel);
        keycloakSession.authenticationSessions().removeRootAuthenticationSession(realmModel, createOrJoinLogoutSession.getParentSession());
        return finishLogout;
    }

    public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel, String str) {
        IdentityCookieToken identityCookieToken = new IdentityCookieToken();
        identityCookieToken.id(KeycloakModelUtils.generateId());
        identityCookieToken.issuedNow();
        identityCookieToken.subject(userModel.getId());
        identityCookieToken.issuer(str);
        identityCookieToken.type("Serialized-ID");
        if (userSessionModel != null) {
            identityCookieToken.setSessionState(userSessionModel.getId());
        }
        if (userSessionModel != null && userSessionModel.isRememberMe() && realmModel.getSsoSessionMaxLifespanRememberMe() > 0) {
            identityCookieToken.expiration(Time.currentTime() + realmModel.getSsoSessionMaxLifespanRememberMe());
        } else if (realmModel.getSsoSessionMaxLifespan() > 0) {
            identityCookieToken.expiration(Time.currentTime() + realmModel.getSsoSessionMaxLifespan());
        }
        String str2 = (String) keycloakSession.getAttribute("state_checker");
        if (str2 == null) {
            str2 = Base64Url.encode(KeycloakModelUtils.generateSecret());
            keycloakSession.setAttribute("state_checker", str2);
        }
        identityCookieToken.getOtherClaims().put("state_checker", str2);
        return identityCookieToken;
    }

    public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection) {
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        String encode = keycloakSession.tokens().encode(createIdentityToken(keycloakSession, realmModel, userModel, userSessionModel, Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())));
        boolean isRequired = realmModel.getSslRequired().isRequired(clientConnection);
        int i = -1;
        if (userSessionModel != null && userSessionModel.isRememberMe()) {
            i = realmModel.getSsoSessionMaxLifespanRememberMe() > 0 ? realmModel.getSsoSessionMaxLifespanRememberMe() : realmModel.getSsoSessionMaxLifespan();
        }
        logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, Integer.valueOf(i));
        CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encode, identityCookiePath, null, null, i, isRequired, true);
        String str = realmModel.getName() + "/" + userModel.getId();
        if (userSessionModel != null) {
            str = str + "/" + userSessionModel.getId();
        }
        CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, str, identityCookiePath, null, null, (!userSessionModel.isRememberMe() || realmModel.getSsoSessionMaxLifespanRememberMe() <= 0) ? realmModel.getSsoSessionMaxLifespan() : realmModel.getSsoSessionMaxLifespanRememberMe(), isRequired, false);
        P3PHelper.addP3PHeader(keycloakSession);
    }

    public static void createRememberMeCookie(RealmModel realmModel, String str, UriInfo uriInfo, ClientConnection clientConnection) {
        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "username:" + str, getIdentityCookiePath(realmModel, uriInfo), null, null, 31536000, realmModel.getSslRequired().isRequired(clientConnection), true);
    }

    public static String getRememberMeUsername(RealmModel realmModel, HttpHeaders httpHeaders) {
        Cookie cookie;
        if (!realmModel.isRememberMe() || (cookie = (Cookie) httpHeaders.getCookies().get(KEYCLOAK_REMEMBER_ME)) == null) {
            return null;
        }
        String[] split = cookie.getValue().split(":");
        if (split[0].equals("username") && split.length == 2) {
            return split[1];
        }
        return null;
    }

    public static void expireIdentityCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring identity cookie");
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        expireCookie(realmModel, KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, true, clientConnection);
        expireCookie(realmModel, KEYCLOAK_SESSION_COOKIE, identityCookiePath, false, clientConnection);
        String oldCookiePath = getOldCookiePath(realmModel, uriInfo);
        expireCookie(realmModel, KEYCLOAK_IDENTITY_COOKIE, oldCookiePath, true, clientConnection);
        expireCookie(realmModel, KEYCLOAK_SESSION_COOKIE, oldCookiePath, false, clientConnection);
    }

    public static void expireOldIdentityCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring old identity cookie with wrong path");
        String oldCookiePath = getOldCookiePath(realmModel, uriInfo);
        expireCookie(realmModel, KEYCLOAK_IDENTITY_COOKIE, oldCookiePath, true, clientConnection);
        expireCookie(realmModel, KEYCLOAK_SESSION_COOKIE, oldCookiePath, false, clientConnection);
    }

    public static void expireRememberMeCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring remember me cookie");
        expireCookie(realmModel, KEYCLOAK_REMEMBER_ME, getIdentityCookiePath(realmModel, uriInfo), true, clientConnection);
    }

    public static void expireOldAuthSessionCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debugv("Expire {1} cookie .", AuthenticationSessionManager.AUTH_SESSION_ID);
        expireCookie(realmModel, AuthenticationSessionManager.AUTH_SESSION_ID, getOldCookiePath(realmModel, uriInfo), true, clientConnection);
    }

    protected static String getIdentityCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return getRealmCookiePath(realmModel, uriInfo);
    }

    public static String getRealmCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).getRawPath() + "/";
    }

    public static String getOldCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).getRawPath();
    }

    public static String getAccountCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.accountUrl(uriInfo.getBaseUriBuilder()).build(new Object[]{realmModel.getName()}).getRawPath();
    }

    public static void expireCookie(RealmModel realmModel, String str, String str2, boolean z, ClientConnection clientConnection) {
        logger.debugv("Expiring cookie: {0} path: {1}", str, str2);
        CookieHelper.addCookie(str, StackoverflowIdentityProvider.DEFAULT_SCOPE, str2, null, "Expiring cookie", 0, realmModel.getSslRequired().isRequired(clientConnection), z);
    }

    public AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel) {
        return authenticateIdentityCookie(keycloakSession, realmModel, true);
    }

    public static AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel, boolean z) {
        Cookie cookie = (Cookie) keycloakSession.getContext().getRequestHeaders().getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
        if (cookie == null || StackoverflowIdentityProvider.DEFAULT_SCOPE.equals(cookie.getValue())) {
            logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
            return null;
        }
        AuthResult verifyIdentityToken = verifyIdentityToken(keycloakSession, realmModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection(), z, false, true, cookie.getValue(), keycloakSession.getContext().getRequestHeaders(), VALIDATE_IDENTITY_COOKIE);
        if (verifyIdentityToken != null) {
            verifyIdentityToken.getSession().setLastSessionRefresh(Time.currentTime());
            return verifyIdentityToken;
        }
        expireIdentityCookie(realmModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection());
        expireOldIdentityCookie(realmModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection());
        return null;
    }

    public static Response redirectAfterSuccessfulFlow(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, HttpRequest httpRequest, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder eventBuilder, AuthenticationSessionModel authenticationSessionModel) {
        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, authenticationSessionModel.getProtocol());
        provider.setRealm(realmModel).setHttpHeaders(httpRequest.getHttpHeaders()).setUriInfo(uriInfo).setEventBuilder(eventBuilder);
        return redirectAfterSuccessfulFlow(keycloakSession, realmModel, userSessionModel, clientSessionContext, httpRequest, uriInfo, clientConnection, eventBuilder, authenticationSessionModel, provider);
    }

    public static Response redirectAfterSuccessfulFlow(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, HttpRequest httpRequest, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder eventBuilder, AuthenticationSessionModel authenticationSessionModel, LoginProtocol loginProtocol) {
        UserSessionModel userSession;
        Cookie cookie = (Cookie) httpRequest.getHttpHeaders().getCookies().get(KEYCLOAK_SESSION_COOKIE);
        if (cookie != null) {
            String[] split = cookie.getValue().split("/");
            if (split.length >= 3) {
                String str = split[2];
                if (!str.equals(userSessionModel.getId()) && (userSession = keycloakSession.sessions().getUserSession(realmModel, str)) != null) {
                    logger.debugv("Removing old user session: session: {0}", str);
                    keycloakSession.sessions().removeUserSession(realmModel, userSession);
                }
            }
        }
        keycloakSession.getContext().resolveLocale(userSessionModel.getUser());
        createLoginCookie(keycloakSession, realmModel, userSessionModel.getUser(), userSessionModel, uriInfo, clientConnection);
        if (userSessionModel.getState() != UserSessionModel.State.LOGGED_IN) {
            userSessionModel.setState(UserSessionModel.State.LOGGED_IN);
        }
        if (userSessionModel.isRememberMe()) {
            createRememberMeCookie(realmModel, userSessionModel.getLoginUsername(), uriInfo, clientConnection);
        } else {
            expireRememberMeCookie(realmModel, uriInfo, clientConnection);
        }
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(keycloakSession.getAttribute(SSO_AUTH))) {
            clientSession.setNote(SSO_AUTH, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        } else {
            userSessionModel.setNote(AUTH_TIME, String.valueOf(Time.currentTime()));
            clientSession.removeNote(SSO_AUTH);
        }
        return loginProtocol.authenticated(authenticationSessionModel, userSessionModel, clientSessionContext);
    }

    public static boolean isSSOAuthentication(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return Boolean.parseBoolean(authenticatedClientSessionModel.getNote(SSO_AUTH));
    }

    public static Response nextActionAfterAuthentication(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        Response actionRequired = actionRequired(keycloakSession, authenticationSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder);
        return actionRequired != null ? actionRequired : finishedRequiredActions(keycloakSession, authenticationSessionModel, null, clientConnection, httpRequest, uriInfo, eventBuilder);
    }

    public static Response redirectToRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticationSessionModel authenticationSessionModel, UriInfo uriInfo, String str) {
        new ClientSessionCode(keycloakSession, realmModel, authenticationSessionModel).setAction(CommonClientSessionModel.Action.REQUIRED_ACTIONS.name());
        authenticationSessionModel.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION);
        authenticationSessionModel.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, str);
        UriBuilder path = LoginActionsService.loginActionsBaseUrl(uriInfo).path(LoginActionsService.REQUIRED_ACTION);
        if (str != null) {
            path.queryParam("execution", new Object[]{str});
        }
        path.queryParam("client_id", new Object[]{authenticationSessionModel.getClient().getClientId()});
        path.queryParam("tab_id", new Object[]{authenticationSessionModel.getTabId()});
        if (uriInfo.getQueryParameters().containsKey(LoginActionsService.AUTH_SESSION_ID)) {
            path.queryParam(LoginActionsService.AUTH_SESSION_ID, new Object[]{authenticationSessionModel.getParentSession().getId()});
        }
        return Response.status(302).location(path.build(new Object[]{realmModel.getName()})).build();
    }

    public static Response finishedRequiredActions(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        DefaultActionTokenKey from;
        String authNote = authenticationSessionModel.getAuthNote(INVALIDATE_ACTION_TOKEN);
        if (authNote != null && (from = DefaultActionTokenKey.from(authNote)) != null) {
            keycloakSession.getProvider(ActionTokenStoreProvider.class).put(from, (Map) null);
        }
        if (authenticationSessionModel.getAuthNote(END_AFTER_REQUIRED_ACTIONS) == null) {
            RealmModel realm = authenticationSessionModel.getRealm();
            ClientSessionContext attachSession = AuthenticationProcessor.attachSession(authenticationSessionModel, userSessionModel, keycloakSession, realm, clientConnection, eventBuilder);
            UserSessionModel userSession = attachSession.getClientSession().getUserSession();
            eventBuilder.event(EventType.LOGIN);
            eventBuilder.session(userSession);
            eventBuilder.success();
            return redirectAfterSuccessfulFlow(keycloakSession, realm, userSession, attachSession, httpRequest, uriInfo, clientConnection, eventBuilder, authenticationSessionModel);
        }
        LoginFormsProvider success = keycloakSession.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSessionModel).setSuccess(Messages.ACCOUNT_UPDATED, new Object[0]);
        if (authenticationSessionModel.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) == null) {
            success.setAttribute("skipLink", true);
        } else if (authenticationSessionModel.getRedirectUri() != null) {
            success.setAttribute("pageRedirectUri", authenticationSessionModel.getRedirectUri());
        }
        Response createInfoPage = success.createInfoPage();
        new AuthenticationSessionManager(keycloakSession).removeAuthenticationSession(authenticationSessionModel.getRealm(), authenticationSessionModel, true);
        return createInfoPage;
    }

    public static String nextRequiredAction(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        RealmModel realm = authenticationSessionModel.getRealm();
        UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
        ClientModel client = authenticationSessionModel.getClient();
        evaluateRequiredActionTriggers(keycloakSession, authenticationSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder, realm, authenticatedUser);
        if (!authenticatedUser.getRequiredActions().isEmpty()) {
            return (String) authenticatedUser.getRequiredActions().iterator().next();
        }
        if (!authenticationSessionModel.getRequiredActions().isEmpty()) {
            return (String) authenticationSessionModel.getRequiredActions().iterator().next();
        }
        if (!client.isConsentRequired()) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "no_consent_required");
            return null;
        }
        UserConsentModel effectiveGrantedConsent = getEffectiveGrantedConsent(keycloakSession, authenticationSessionModel);
        if (!getClientScopesToApproveOnConsentScreen(realm, effectiveGrantedConsent, authenticationSessionModel).isEmpty()) {
            return CommonClientSessionModel.Action.OAUTH_GRANT.name();
        }
        eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, effectiveGrantedConsent != null ? "persistent_consent" : "no_consent_required");
        return null;
    }

    private static UserConsentModel getEffectiveGrantedConsent(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel) {
        if (TokenUtil.hasPrompt(authenticationSessionModel.getClientNote(OIDCLoginProtocol.PROMPT_PARAM), OIDCLoginProtocol.PROMPT_VALUE_CONSENT)) {
            return null;
        }
        return keycloakSession.users().getConsentByClient(authenticationSessionModel.getRealm(), authenticationSessionModel.getAuthenticatedUser().getId(), authenticationSessionModel.getClient().getId());
    }

    public static Response actionRequired(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        RealmModel realm = authenticationSessionModel.getRealm();
        UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
        ClientModel client = authenticationSessionModel.getClient();
        evaluateRequiredActionTriggers(keycloakSession, authenticationSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder, realm, authenticatedUser);
        logger.debugv("processAccessCode: go to oauth page?: {0}", Boolean.valueOf(client.isConsentRequired()));
        eventBuilder.detail("code_id", authenticationSessionModel.getParentSession().getId());
        Response executionActions = executionActions(keycloakSession, authenticationSessionModel, httpRequest, eventBuilder, realm, authenticatedUser, authenticatedUser.getRequiredActions());
        if (executionActions != null) {
            return executionActions;
        }
        Response executionActions2 = executionActions(keycloakSession, authenticationSessionModel, httpRequest, eventBuilder, realm, authenticatedUser, authenticationSessionModel.getRequiredActions());
        if (executionActions2 != null) {
            return executionActions2;
        }
        if (!client.isConsentRequired()) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "no_consent_required");
            return null;
        }
        UserConsentModel effectiveGrantedConsent = getEffectiveGrantedConsent(keycloakSession, authenticationSessionModel);
        List<ClientScopeModel> clientScopesToApproveOnConsentScreen = getClientScopesToApproveOnConsentScreen(realm, effectiveGrantedConsent, authenticationSessionModel);
        if (clientScopesToApproveOnConsentScreen.size() <= 0) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, effectiveGrantedConsent != null ? "persistent_consent" : "no_consent_required");
            return null;
        }
        String name = CommonClientSessionModel.Action.OAUTH_GRANT.name();
        ClientSessionCode clientSessionCode = new ClientSessionCode(keycloakSession, realm, authenticationSessionModel);
        clientSessionCode.setAction(CommonClientSessionModel.Action.REQUIRED_ACTIONS.name());
        authenticationSessionModel.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, name);
        return keycloakSession.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSessionModel).setExecution(name).setClientSessionCode(clientSessionCode.getOrGenerateCode()).setAccessRequest(clientScopesToApproveOnConsentScreen).createOAuthGrant();
    }

    private static List<ClientScopeModel> getClientScopesToApproveOnConsentScreen(RealmModel realmModel, UserConsentModel userConsentModel, AuthenticationSessionModel authenticationSessionModel) {
        LinkedList linkedList = new LinkedList();
        Iterator it = authenticationSessionModel.getClientScopes().iterator();
        while (it.hasNext()) {
            ClientScopeModel findClientScopeById = KeycloakModelUtils.findClientScopeById(realmModel, authenticationSessionModel.getClient(), (String) it.next());
            if (findClientScopeById != null && findClientScopeById.isDisplayOnConsentScreen() && (userConsentModel == null || !userConsentModel.isClientScopeGranted(findClientScopeById))) {
                linkedList.add(findClientScopeById);
            }
        }
        return linkedList;
    }

    public static void setClientScopesInSession(AuthenticationSessionModel authenticationSessionModel) {
        ClientModel client = authenticationSessionModel.getClient();
        authenticationSessionModel.getAuthenticatedUser();
        String clientNote = authenticationSessionModel.getClientNote("scope");
        HashSet hashSet = new HashSet();
        Iterator<ClientScopeModel> it = TokenManager.getRequestedClientScopes(clientNote, client).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getId());
        }
        authenticationSessionModel.setClientScopes(hashSet);
    }

    public static RequiredActionProvider createRequiredAction(RequiredActionContextResult requiredActionContextResult) {
        RequiredActionProvider createDisplay;
        String authNote = requiredActionContextResult.getAuthenticationSession().getAuthNote("display");
        if (authNote == null) {
            return requiredActionContextResult.getFactory().create(requiredActionContextResult.getSession());
        }
        if ((requiredActionContextResult.getFactory() instanceof DisplayTypeRequiredActionFactory) && (createDisplay = requiredActionContextResult.getFactory().createDisplay(requiredActionContextResult.getSession(), authNote)) != null) {
            return createDisplay;
        }
        if (!"console".equalsIgnoreCase(authNote)) {
            return requiredActionContextResult.getFactory().create(requiredActionContextResult.getSession());
        }
        requiredActionContextResult.getAuthenticationSession().removeAuthNote("display");
        throw new AuthenticationFlowException(AuthenticationFlowError.DISPLAY_NOT_SUPPORTED, ConsoleDisplayMode.browserContinue(requiredActionContextResult.getSession(), requiredActionContextResult.getUriInfo().getRequestUri().toString()));
    }

    protected static Response executionActions(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, HttpRequest httpRequest, EventBuilder eventBuilder, RealmModel realmModel, UserModel userModel, Set<String> set) {
        for (RequiredActionProviderModel requiredActionProviderModel : sortRequiredActionsByPriority(realmModel, set)) {
            RequiredActionFactory providerFactory = keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, requiredActionProviderModel.getProviderId());
            if (providerFactory == null) {
                throw new RuntimeException("Unable to find factory for Required Action: " + requiredActionProviderModel.getProviderId() + " did you forget to declare it in a META-INF/services file?");
            }
            RequiredActionContextResult requiredActionContextResult = new RequiredActionContextResult(authenticationSessionModel, realmModel, eventBuilder, keycloakSession, httpRequest, userModel, providerFactory);
            try {
                createRequiredAction(requiredActionContextResult).requiredActionChallenge(requiredActionContextResult);
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.FAILURE) {
                    LoginProtocol provider = requiredActionContextResult.getSession().getProvider(LoginProtocol.class, requiredActionContextResult.getAuthenticationSession().getProtocol());
                    provider.setRealm(requiredActionContextResult.getRealm()).setHttpHeaders(requiredActionContextResult.getHttpRequest().getHttpHeaders()).setUriInfo(requiredActionContextResult.getUriInfo()).setEventBuilder(eventBuilder);
                    Response sendError = provider.sendError(requiredActionContextResult.getAuthenticationSession(), LoginProtocol.Error.CONSENT_DENIED);
                    eventBuilder.error("rejected_by_user");
                    return sendError;
                }
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.CHALLENGE) {
                    authenticationSessionModel.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, requiredActionProviderModel.getProviderId());
                    return requiredActionContextResult.getChallenge();
                }
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.SUCCESS) {
                    eventBuilder.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail("custom_required_action", providerFactory.getId()).success();
                    authenticationSessionModel.getAuthenticatedUser().removeRequiredAction(providerFactory.getId());
                    authenticationSessionModel.removeRequiredAction(providerFactory.getId());
                }
            } catch (AuthenticationFlowException e) {
                if (e.getResponse() != null) {
                    return e.getResponse();
                }
                throw e;
            }
        }
        return null;
    }

    private static List<RequiredActionProviderModel> sortRequiredActionsByPriority(RealmModel realmModel, Set<String> set) {
        ArrayList arrayList = new ArrayList();
        for (String str : set) {
            RequiredActionProviderModel requiredActionProviderByAlias = realmModel.getRequiredActionProviderByAlias(str);
            if (requiredActionProviderByAlias == null) {
                logger.warnv("Could not find configuration for Required Action {0}, did you forget to register it?", str);
            } else if (requiredActionProviderByAlias.isEnabled()) {
                arrayList.add(requiredActionProviderByAlias);
            }
        }
        Collections.sort(arrayList, RequiredActionProviderModel.RequiredActionComparator.SINGLETON);
        return arrayList;
    }

    public static void evaluateRequiredActionTriggers(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder, RealmModel realmModel, UserModel userModel) {
        for (RequiredActionProviderModel requiredActionProviderModel : realmModel.getRequiredActionProviders()) {
            if (requiredActionProviderModel.isEnabled()) {
                RequiredActionFactory providerFactory = keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, requiredActionProviderModel.getProviderId());
                if (providerFactory == null) {
                    throw new RuntimeException("Unable to find factory for Required Action: " + requiredActionProviderModel.getProviderId() + " did you forget to declare it in a META-INF/services file?");
                }
                providerFactory.create(keycloakSession).evaluateTriggers(new RequiredActionContextResult(authenticationSessionModel, realmModel, eventBuilder, keycloakSession, httpRequest, userModel, providerFactory) { // from class: org.keycloak.services.managers.AuthenticationManager.1
                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void challenge(Response response) {
                        throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void failure() {
                        throw new RuntimeException("Not allowed to call failure() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void success() {
                        throw new RuntimeException("Not allowed to call success() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void ignore() {
                        throw new RuntimeException("Not allowed to call ignore() within evaluateTriggers()");
                    }
                });
            }
        }
    }

    public static AuthResult verifyIdentityToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, boolean z, boolean z2, boolean z3, String str, HttpHeaders httpHeaders, TokenVerifier.Predicate<? super AccessToken>... predicateArr) {
        try {
            TokenVerifier withChecks = TokenVerifier.create(str, AccessToken.class).withDefaultChecks().realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())).checkActive(z).checkTokenType(z2).withChecks(predicateArr);
            withChecks.verifierContext(keycloakSession.getProvider(SignatureProvider.class, withChecks.getHeader().getAlgorithm().name()).verifier(withChecks.getHeader().getKeyId()));
            AccessToken token = withChecks.verify().getToken();
            if (z && (!token.isActive() || token.getIssuedAt() < realmModel.getNotBefore())) {
                logger.debug("Identity cookie expired");
                return null;
            }
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, token.getSessionState());
            UserModel userModel = null;
            if (userSession != null) {
                userModel = userSession.getUser();
                if (userModel == null || !userModel.isEnabled()) {
                    logger.debug("Unknown user in identity token");
                    return null;
                }
                if (token.getIssuedAt() < keycloakSession.users().getNotBeforeOfUser(realmModel, userModel)) {
                    logger.debug("User notBefore newer than token");
                    return null;
                }
            }
            if (isSessionValid(realmModel, userSession)) {
                keycloakSession.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));
                return new AuthResult(userModel, userSession, token);
            }
            if (!z3) {
                UserSessionModel offlineUserSession = keycloakSession.sessions().getOfflineUserSession(realmModel, token.getSessionState());
                if (isOfflineSessionValid(realmModel, offlineUserSession)) {
                    return new AuthResult(offlineUserSession.getUser(), offlineUserSession, token);
                }
            }
            if (userSession != null) {
                backchannelLogout(keycloakSession, realmModel, userSession, uriInfo, clientConnection, httpHeaders, true);
            }
            logger.debug("User session not active");
            return null;
        } catch (VerificationException e) {
            logger.debugf("Failed to verify identity token: %s", e.getMessage());
            return null;
        }
    }
}
